search

rwfpl / rewolf-wow64ext

Helper library for x86 programs that runs under WOW64 layer on x64 versions of Microsoft Windows operating systems.
932 stars 295 forks source link

Strange crash when run outside of debugger on Windows 10 #15

Open rcx opened 5 years ago

rcx commented 5 years ago

Hello, thanks for your project. This is really great.

I'm trying to use the library on Windows 10 64-bit. Under Visual Studio's debugger or WinDbg, the program runs fine. When I run it from explorer or cmd, it crashes. To test, I am using the sample program provided, compiled with VS 2017 build tools. It also crashes when compiled with VS 2015 build tools. I tried compiling it myself and using the precompiled dll.

Interestingly, GetModuleHandle64 seems to work fine, but other functions like ReadProcessMemory64 or WriteProcessMemory64 cause a crash.

Some example code:

    printf("hello world\n");
    DWORD64 ntdll = GetModuleHandle64(L"ntdll.dll"); // OK
    printf("ntdll 64 = %llx\n", ntdll);
    HANDLE hProcess = GetCurrentProcess();
    char mem[10];
    BOOL succ = ReadProcessMemory64(hProcess, ntdll, mem, sizeof(mem), NULL); // crash

My Windows version is 10 Enterprise LTSC / 10.0.17763 Build 17763

I attached an compiled exe that is causing the crash here. This is the sample program. main.zip